Want to use signed encryption scope while generating SAS token and then get a blob which has used same scope during the time of upload. Currently it's throwing 403- unauthorized error when I try to fetch a blob which was uploaded to backend using same customer-managed encryption key.
This error may cause if the key has been disabled or deleted, access to customer-managed keys has been revoked, or your access token activation time is expired
Please check that you followed the below workaround correctly
After clicking key vault and key, try to generate a new key vault and key after clicking them to prevent an error. In Encryption scopes check you have given valid key vault and key and infrastructure encryption should be Enable as below
when you try to fetch a blob which was uploaded to backend using same customer-managed encryption key check whether your authentication type should be in account key, and you choose existing scope is valid as below
Once you upload a blob ensure you have generate SAS token and URL and try to use blob SAS URL for accessible
Reference: Authorize with Shared Key and Forbidden (403), Unauthorized (401),
Related
The near wallet login callback only provides ?account_id=<cyberfeng.testnet>&all_keys=<public-keys> and the receiving side cannot verify the request is authentically coming from NEAR wallet. Checking the referrer header is unreliable as a hacker can use curl or other http clients to send fake requests
A signature or something that can be verified would be ideal
Does this exist?
Partial Answer:
I've since learned that the preferred method for user verification is to:
Send a wallet.near.org request for the user to add a function access key to their account.
You'll then have the function access key available to your websites local storage
You can then use that function access key to sign requests as the user for the specified function. You can also verify the key was added to their Near Name account which confirms access to their identity.
Unfortunately this method requires:
The user to pay a small transaction fee
The User to add an access key to their account
The requester to specify a target contract for the function access key
Outstanding Question:
Is there a simple way to sign a transaction with the local storage access key held at wallet.near.org and return that result so that I can query the users keys & verify that an existing key signed the transaction.
Why:
It's gasless - My new users have limited or 0 funds
I don't want to train users to add unnecessary access keys to their accounts
I don't need function access. I just need to securely verify their identity
I'm trying to encrypt my sensitive data for an application. For the key generation part, I'm using crypto/pbkdf2. I'm generating the encryption key on the fly based on the user supplied password. When a user is created, that's when I'm encrypting the corresponding data of the user with the user's supplied password. However, whenever that particular user tries to access a resource, I've to decrypt the data before showing it to the user. Where do I get the password from, everytime an endpoint is called by that user to access a resource?
Note: I'm storing the hashed password of the user in the database schema, also I don't want to store the encryption password anywhere!
The typical solution to this is called token-based authentication (or in OAuth terms, Resource Owner Password Credential Flow).
Create a "login" endpoint that will derive the encryption key from the supplied username/password and exchange it for a (time-limited) "access token", storing it in a key-value store with TTL support (e.g. etcd, Redis).
Then each subsequent request will need to supply the access token (e.g. in the Authorization header), which is then used to retrieve the encryption key from the key-value store.
I am using the access token to play my private videos in my android app and for that, I am created an access token.
But It says,
The OAuth Playground will automatically revoke refresh tokens after 24h. You can avoid this by specifying your own application OAuth credentials using the Configuration panel
I tried to add my own client secrets and ID and after creating a new token, it still displays the same NOTE.
How can I create a permanent access token that will not expire?
I tried to change available parameters like Access Type Online, Offline, and still shows same NOTE.
Google apis generally do not let you get a permanent access token
Access tokens have limited lifetimes. If your application needs access to a Google API beyond the lifetime of a single access token, it can obtain a refresh token. A refresh token allows your application to obtain new access tokens.
Generate an offline refresh token to use and get a short lived access token
This is part of the Oauth2 standard
As JWT tokens are sent over the headers to authenticate uses, a user can just inspect the web call in chrome dev tools and copy paste the token and use it to access the exposed API.
For example, if I am using this token to create a record, a malicious user can use the same token (by using the above mentioned way) to create a new record in Database.
How can I stop this from happening? Is using Token Encryption with public key of server the way to stop this?
Token represents user identity. It is normal, that user can view his own token.
Token is validated on the server. Normally there is is no easy way to fake a token. Use cannot generate a new token on his own.
Communication between browser and server should be done via TLS. Then no third party will be able to see the token.
If your user gives access to his browser to somebody else, then yes, the other person can potentially access the token and used it later on on another computer, it this token is not expired yet. But this is not specific to the token, this is like giving access to your password to smb else.
Several steps can be taken as given below:
You should use https connection instead of http connection. This will encrypt your message which is sent to server or received from server. So if a man in the middle catches your packet, he can't do anything because message is encrypted.
Also add a short time validity for jwt token depending your app behavior.
Add an appropriate key size for your self-signed token validation. AES keys shorter than 128 bits, or RSA keys shorter than 1024 bits for legacy apps.2048 bits encryption now a days popular.
HSM (Hardware Security Module) can be introduce for signing and encryption task while key are not accessible from OS or software level.
You should be digging deep for more here[cheat sheet for jwt token OWASP].
I want to use OAuth JWT token for authorization. By some reasons (osgi container) I can't use spring-oauth-security.
In the readme of spring-oauth-security I have found a quote:
The JSON Web Token (JWT) version of the store encodes all the data about the grant into the token itself (so no back end store at all which is a significant advantage).
https://github.com/spring-projects/spring-security-oauth/blob/master/docs/oauth2.md
I am absolutely don't catch "no back end store at all". There are two cases in jwt:
symmetric key or shared secret (HMAC);
Verifier key is a shared secret and is available by /token_key URL.
Question 1: I should store shared secret on server for each registered user. Why "no back end store at all"?
asymmetric key (RS/ES);
/token_key returns public key (without principal).
Question 2: But why we use only one public key for all users? It is unable to generate more than one private key for the same public key in rsa, isn't it? Only one pair private key - public key is allowed in RSA.
I don't understand a flow and why "no back end store at all".
You do not use different keys per user but per Identity Provider.
Identity Provider signs a JWT with a key and you are able to validate it for each user without a backend lookup. For JWT validation you only need a key related to the Identity Provider - even if you store it on some DB, you could fetch it once and cache it. For assymetric keys, OIDC even defines a URL to fetch the public key(s) used for signature.
The key is used to trust the Identity Provider and thus implicitly the identities it provides.
This is quite good article on the topic:
https://auth0.com/blog/2014/01/07/angularjs-authentication-with-cookies-vs-token/